Merge pull request #595 from apache/update-spring-boot

update spring boot
apache · Dec 23, 2022 · d477a0f · d477a0f
2 parents c205b5e + 42f8a4b
commit d477a0f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -105,7 +105,7 @@
         <logback.version>1.2.11</logback.version>
         <log4j.version>2.19.0</log4j.version>
         <spring.version>5.3.23</spring.version>
-        <spring-boot.version>2.7.5</spring-boot.version>
+        <spring-boot.version>2.7.7</spring-boot.version>
         <guice.version>4.2.3</guice.version>
         <jaxrs.api.version>2.1.1</jaxrs.api.version>
         <htmlunit.version>2.66.0</htmlunit.version>
@@ -949,6 +949,12 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <!-- transitive dep of commons-config, force newer version -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>1.10.0</version>
+            </dependency>
 
             <dependency>
                 <groupId>org.owasp.encoder</groupId>

diff --git a/src/owasp-suppression.xml b/src/owasp-suppression.xml
@@ -37,4 +37,11 @@
         <cpe>cpe:/a:internet2:opensaml:1.1</cpe>
     </suppress>
 
+    <suppress>
+        <!-- The CPE doesn't have the upper bound set correctly -->
+        <notes><![CDATA[ file name: spring-web-5.3.23.jar ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+
 </suppressions>